Why unable to run certificate package version quer...

x3ncrypt · ‎05-03-2022

Unable to perform the following search provided by Splunk to check forwarder certificate package version:

index=_internal source=*metrics.log group=tcpout_connections

name=splunkcloud*

| stats latest(_time) AS _time latest(name) AS name by host

| rex field=name "(?<output_group>splunkcloud_202[23456789]\d+)\_"

| eval fwd_config=if(isnotnull(output_group),“new”,“legacy”)

| stats count by _time host output_group fwd_config

| reltime

| fields _time reltime host output_group fwd_config

| sort 0 fwd_config

x3ncrypt · ‎05-03-2022

No errors are displayed after running the search, yet I receive no returned results.

isoutamo · ‎05-04-2022

Hi

you are running this towards Splunk Cloud environment (UFs' send data to SC) and you haven't change output_group names from what they have provided with UF configuration packages?

One change what you can do is

index=_internal source=*metrics.log group=tcpout_connections name=splunkcloud*
| stats latest(_time) AS _time latest(name) AS name by host
| rex field=name "(?<output_group>splunkcloud_202[23456789]\d+)\_"
| eval fwd_config=if(isnotnull(output_group),"new","legacy")
| fillnull value="N/A" output_group
| stats count by _time host output_group fwd_config
| reltime 
| fields _time reltime host output_group fwd_config 
| sort 0 fwd_config

So update output_group name to "N/A" if it's null (shouldn't be) after fwd_config has set.

Have you gotten any events when you runs only 1st line?

r. Ismo

Why unable to run certificate package version query for forwarders?

rex

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!